[pve-devel] missing cpu flags? (CVE-2018-3639)

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Mon Aug 20 20:48:13 CEST 2018


Am 20.08.2018 um 17:19 schrieb Alexandre DERUMIER:
> Hi Stefan,
> 
> thanks for the infos!
> 
> 
>>> At least ssbd is important for guest to mitigate CVE-2018-3639. 
> 
> This need qemu 3.0 :/
> 
> https://wiki.qemu.org/ChangeLog/3.0
> 
> "The 'ssbd', 'virt-ssbd', 'amd-ssbd' and 'amd-no-ssb' CPU feature flags are added in relation to the "Speculative Store Bypass" hardware vulnerability (CVE-2018-3639)"

You already answered yourself ;-) it's working fine with 2.11.2. I'm
already using it since a few days.

>>> It also seems to make sense to enable pdpe1gb 
> 
> is it related to a vulnerability ?
No.


> it's already possible to use hugepage currently with "hugepages: <1024 | 2 | any>". But it's only on the qemu/hostside.
> I think pdpe1gb expose hugepage inside the guest, right ?
Yes.

Stefan

> 
> ----- Mail original -----
> De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Vendredi 17 Août 2018 13:30:10
> Objet: [pve-devel] missing cpu flags? (CVE-2018-3639)
> 
> Hello, 
> 
> after researching l1tf mitigation for qemu and reading https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/ 
> 
> It seems pve misses at least the following cpu flag: 
> ssbd 
> 
> It also seems to make sense to enable pdpe1gb 
> 
> At least ssbd is important for guest to mitigate CVE-2018-3639. 
> 
> Greets, 
> Stefan 
> 
> Excuse my typo sent from my mobile phone. 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 



More information about the pve-devel mailing list